CVE-2023-39143: 
PaperCut NG vulnerability analysis and mitigation

CVE-2023-39143 is a critical vulnerability affecting PaperCut NG and PaperCut MF print management software versions before 22.1.3 running on Windows systems. The vulnerability was discovered in May 2023 and patched in July 2023. It affects the application server component of PaperCut installations, allowing unauthenticated attackers to perform path traversal attacks (Horizon3 Advisory, NVD).

The vulnerability has a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It involves multiple chained issues including path traversal vulnerabilities in the WebDAV endpoint and CustomReportExample servlet that allow bypassing authentication. The vulnerability stems from improper sanitization of backslash characters in paths on Windows systems (Horizon3 Writeup).

The vulnerability enables unauthenticated attackers to read, delete, and upload arbitrary files to the PaperCut application server. When external device integration is enabled (a common configuration), this can lead to remote code execution. Based on real-world data, the majority of PaperCut installations run on Windows with external device integration enabled, making them potentially vulnerable (Horizon3 Advisory).

The primary mitigation is to upgrade to PaperCut NG/MF version 22.1.3 or later. For organizations unable to upgrade immediately, a workaround is available by configuring an allowlist of device IP addresses that are permitted to communicate with the PaperCut server. This can be implemented using the "IP Address Allow-listing" section in PaperCut's security best practices guide (PaperCut Security Bulletin).